29 September 1997
Source: Hardcopy from Will Rodger,
Interactive Week
See related Stewart Baker analysis: http://jya.com/gak-baker.htm
ATTORNEYS AT LAW
1330 CONNECTICUT AVENUE, N.W.
WASHINGTON DC 20063
(202) 429-3000
FACSIMILE: (202) 429-3902
STEWART A.
BAKER
email: sbaker@steptoe.com
September 23, 1997
The Honorable Tom Bliley
Chairman
Committee on Commerce
House of Representatives
Washington, D.C. 20515-6115
Dear Chairman Bliley:
I am writing to express concern about the Oxley/Manton
amendment to the Committee's substitute for H.R. 695, the SAFE
Act.
Because I come to my concerns by a different route
than many of the others who have contacted you, my background may
be relevant. I was the General counsel of the national Security
Agency until 1994. Since leaving the Agency, I have advised
numerous private clients on encryption export controls,
compliance with the Communications Assistance to Law Enforcement
Act (CALEA), and other areas of the law where law enforcement and
national security concerns interact with emerging technologies.
(I should note at this point that my private clients don't share
my views on encryption policy; in fact, some of them are no doubt
appalled by my views.)
I was at the Agency when the Clipper chip was first
introduced, and I publicly defended the then-novel concept of key
escrow encryption. I thought then, and I think now, that key
recovery is the most promising technical solution to what
otherwise is a bitter and difficult policy choice. Key recovery
The Honorable Tom Bliley
September 23, 1997
Page 2
at least offers the possibility that we can have our cake and eat
it too -- get good security for our data without doing grave harm
to law enforcement.
The problem with key recovery and similar technologies
is that they are still more promise than reality, at least at
this time. So despite my sympathies for the goals that the
Oxley/Manton amendment seeks to achieve, I have grave doubts
about its wisdom as legislation. the Oxley/Manton amendment
would require that by January 1, 1999 any encryption available
for use in the United States include a feature that permits
authorized officials to obtain immediate access to the plaintext
of encrypted information without the knowledge or cooperation of
the person whose information is encrypted. This means that
industry and users would be allowed barely more than a year to
put in place an entirely new encryption technology. There are a
lot of problems with this rush to a implement a new technology.
First, because key recovery remains novel -- as do
other technologies designed to provide the "immediate decryption"
required by the Oxley/Manton amendment -- there are a limited
number of suppliers for such technology. And market forces have
not led companies to develop key recovery or similar approaches
in every case. Everyone agrees that there is a significant
corporate market for key recovery whenever encrypted data is
stored on a business user's hard drive. Perceiving this market,
many suppliers of stored-data encryption are developing (or have
developed) key recovery systems.
But encryption is probably most useful not for data
storage but for communications, particularly communications over
the air (wireless telecommunications) or over open networks such
as the Internet. For access to real-time encrypted
communications, businesses do not use key recovery. Typically,
the communication is decrypted on teh spot by the system and is
provided to the user in the clear, whether the data is voice or a
World Wide Web file. Since the user has the data in the clear,
the user is likely to store it -- if he stores it at all -- in
the clear. There's no need to save the keys that were used to
encrypt the transmission. In this field, therefore, there is no
private-market incentive to develop key recovery or other access
The Honorable Tom Bliley
September 23, 1997
Page 3
technologies. The only reason to do so is government fiat. It
is unrealistic to expect encryption producers to develop key
recovery or similar solutions to real-time communications
encryption, and then to deploy those solutions, all in a year or
two.
Second, forcing them to do so is highly risky. The
Oxley/Manton amendment regulates technology, and it contains a
strong bias for what might be described as "complete" technical
solutions. Encryption products must either contain a "built-in"
access feature or a feature that prevents the product from being
used in a system or network that does not include an access
point. Unfortunately, it is probably wrong to assume that
built-in technology is the only -- or even the best -- way to
address the conflict between encryption and law enforcement
access.
The banking industry, for example, can meet law
enforcement access requirements without key recovery. Banks
typically encrypt their information during transmission, when it
is vulnerable to interception and possible corruption. Once the
information reaches its destination it is typically decrypted,
acted upon, and stored in unencrypted form. Government
regulations assure the information is available for law
enforcement to access upon demand. Requiring the banks to use
accessible encryption would not only compel them to make a
terribly costly transition, but is also would create a security
hole that does not now exist.
The idea of building a vulnerability into our banking
systems is troubling. No doubt any security holes that result
can be closed eventually. But eliminating the risks will not be
free. So far as has been determined, NSA was able to close those
holes in the Clipper chip, but only by adopting a very costly
infrastructure. To force banks and other institutions to scrap
tested encryption technology and procedures and adopt new
products that have been rushed to market to meet an early
deadline is asking for trouble -- and trouble in our payment
system would be serious trouble indeed.
The Honorable Tom Bliley
September 23, 1997
Page 4
(Banks, of course, are only at the start of the list
of companies who cannot afford to discover security problems with
their encryption after the fact. U.S. companies concerned about
foreign commercial espionage need encryption without holes. So
do nonbanks with heavy financial responsibilities -- from credit
card companies to mutual funds to companies engaged in electronic
commerce.)
My third and final concern about Oxley/Manton is that
it assigns the Attorney General and Federal Bureau of
Investigation to administer an extraordinarily complex program of
commercial regulation.
The suggestion by Bureau officials that this is just
like CALEA is not reassuring. CALEA, which ordered
telecommunications carriers to make their switches
wiretap-capable in 1998, was far easier to implement than
Oxley/Manton will be. First, CALEA gave industry four years to
meet the deadline, not one. Second, unlike the largely
unregulated computer industry, the industry covered by CALEA had
been subject to extensive state and federal regulation since its
birth. Third, unlike computer firms, telecommunications carriers
had been carrying out wiretaps for 70 years as part of a
long-standing relationship with law enforcement. Fourth, the
technical challenge of CALEA was relatively limited -- carriers
were told to preserve law enforcement access to call contents;
they were not told to design new forms of access not previously
attempted. Fifth, and finally, the number of carriers and
companies affected by CALEA is limited compared to the companies
in the computer world that would be affected by Oxley/Manton.
(When a criminal makes a call that should be tapped, he probably
uses a local and perhaps a long-distance carrier; but if he sends
a file over the Internet, he could be using encryption supplied
by his Internet Service Provider or by his local network software
or by his operating system or by his browser or by some
additional application or hardware.)
Despite all of these advantages, three years after its
passage CALEA is in a state of near paralysis. As things stand
now, the wireless industry will be unable to meet the statutory
deadline for compliance because industry and government could not
The Honorable Tom Bliley
September 23, 1997
Page 5
agree on standards. The entire matter is the subject of
contentious filings at the FCC, which is being called upon to
umpire a host of technical and legal issues on which industry and
the FBI are at loggerheads.
The Bureau is a magnificent crime-solving agency; it
may be the best and most technically sophisticated law
enforcement agency in the world. But it should not be asked to
play a neutral, judicial role for which it is not suited, nor to
assign its most technically adept agents to spend years
understanding the relative merits of CDMA and TDMA wireless
standards. The Bureau's unwillingness to do these things
accounts in large part for the fact that CALEA is now pending
before the FCC for resolution.
Unfortunately, the Oxley/Manton amendment would put
the FBI in charge of regulating computer hardware and software
without providing a technically sophisticated umpire like the
FCC. Of course, there is no obvious neutral regulatory agency
with experience in the computer industry. But to leave
regulatory responsibility with one of the interested parties
is asking for conflict and litigation.
I hope these views are useful to you. No doubt they
will leave people on both sides of the debate unhappy with me.
But I am concerned that continued polarization on the issue means
that there has been too little consideration of the very real
difficulties that the government would encounter in trying to
administer the Oxley/Manton proposal. We cannot afford to make
too many mistakes in this area. This is a sector in which we are
the envy of the world, and we should step carefully in subjecting
it to sweeping new regulation.
Very truly yours,
[Signature]
Stewart A. Baker
[End]